Solved: Re: Is it possible to migrate summary indexes from...

sonicZ · ‎01-15-2015

I know this is probably a longshot, but is it possible to create a new summary index in our splunk 4 cluster with data run from a backfill script, the past year? Once the backfill is complete, is it possible to then migrate this splunk 4 summary index over to our splunk 6 indexers? I recall it's possible to migrate old indexes over but you lose the replication ability on that index. If we have the summary data migrated, that would be great. It would be fine if things like replication, report acceleration do not work with the migrated data.

Also, we have more indexers in the splunk 4 cluster vs the splunk 6 cluster. What would be the best way to merge two old splunk 4 summary indexes into one splunk 6 summary index?

srioux · ‎01-15-2015

In theory, yes. You may need to play around to find out what the best way is to perform this migration, based on your particular environment(s).

Additional readings:
Documentation links:
http://wiki.splunk.com/Community:MoveIndexes
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Moveanindex
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Migratenon-clusteredindexerstoaclustereden...

Similar Answers post for index migration:
http://answers.splunk.com/answers/133426/summary-index-migration.html
http://answers.splunk.com/answers/86982/moving-a-summary-index.html

Backfill summary index (these seem to be for 6+, though):
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Managesummaryindexgapsandoverlaps
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Usesummaryindexing

Backfill summary index:
http://answers.splunk.com/answers/40629/summary-index-backfill.html (one of the comments lists out a command to do backfill)

As an alternative, once everything's filled out as summary in the 4.x environment, you might be able to export the data as "raw", and re-ingest in the new v6.x environment (ex: create a temp directory on a forwarder, drop the file in there, let it pull the records and fire them across your v6.x indexers).

View solution in original post

srioux · ‎01-15-2015

In theory, yes. You may need to play around to find out what the best way is to perform this migration, based on your particular environment(s).

Additional readings:
Documentation links:
http://wiki.splunk.com/Community:MoveIndexes
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Moveanindex
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Migratenon-clusteredindexerstoaclustereden...

Similar Answers post for index migration:
http://answers.splunk.com/answers/133426/summary-index-migration.html
http://answers.splunk.com/answers/86982/moving-a-summary-index.html

Backfill summary index (these seem to be for 6+, though):
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Managesummaryindexgapsandoverlaps
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Usesummaryindexing

Backfill summary index:
http://answers.splunk.com/answers/40629/summary-index-backfill.html (one of the comments lists out a command to do backfill)

As an alternative, once everything's filled out as summary in the 4.x environment, you might be able to export the data as "raw", and re-ingest in the new v6.x environment (ex: create a temp directory on a forwarder, drop the file in there, let it pull the records and fire them across your v6.x indexers).

Is it possible to migrate summary indexes from Splunk 4 to Splunk 6?

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

Is it possible to migrate summary indexes from Splunk 4 to Splunk 6?

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console